Строка навигации

UIDAI’s Aadhaar Number Regulation Compliance

The Unique Identification Authority of India (UIDAI) was established under the provisions of India’s 2016 Aadhaar Act. UIDAI is responsible for issuing unique identification numbers (UIDs), called Aadhaar, and providing Aadhaar cards to all residents of India. The 12-digit UIDs are generated after the UIDAI verifies the uniqueness of enrollees’ demographic and biometric information; UIDAI must protect individuals’ identity information and authentication records.

Thales eSecurity can help your organization comply with many of the regulations and mandates required for Aadhaar.

2.8 Cryptography 1. The Personal Identity data (PID) block comprising of the resident’s demographic / biometric data shall be encrypted as per the latest API documents specified by the UIDAI at the end point device used for authentication (for e.g. PoT terminal)

2. The PID shall be encrypted during transit and flow within the AUA / KUA ecosystem and while sharing this information with ASAs

Encryption Key Management

2.8 Cryptography 6. Key management activities shall be performed by all AUAs / KUAs to protect the keys throughout their lifecycle. The activities shall address the following aspects of key management, including;

2.10 Operations Security 12. AUAs/KUAs shall ensure that the event logs recording the critical user-activities, exceptions and security events shall be enabled and stored to assist in future investigations and access control monitoring;

13. Regular monitoring of the audit logs shall take place for any possible unauthorized use of information systems and results shall be recorded. Access to audit trails and event logs shall be provided to authorized personnel only

Tokenization of Aadhaar numbers

This guidance is from Circular 11020/205/2017 in The Compendium:

In order to enhance the security level for storing the Aadhaar numbers, it has been mandated that all AUAs/KUAs/Sub-AUAs and other entities that are collecting and storing the Aadhaar number for specific purposes under the Aadhaar Act 2016, shall start using Reference Keys mapped to Aadhaar numbers through tokenization in all systems.

(a) All entities are directed to mandatorily store Aadhaar Numbers and any connected Aadhaar data (e.g. eKYC XML containing Aadhaar number and data) on a separate secure database/vault/system. This system will be termed as “Aadhaar Data Vault” and will be the only place where the Aadhaar Number and any connected Aadhaar data will be stored.

(c) Each Aadhaar number is to be referred by an additional key called as Reference Key. Mapping of reference key and Aadhaar number is to be maintained in the Aadhaar Data Vault.

(d) All business use-cases of entities shall use this Reference Key instead of Aadhaar number in all systems where such reference key need to be stored/mapped, i.e. all tables/systems requiring storage of Aadhaar numbers for their business transactions should from now onwards maintain only the reference key. Actual Aadhaar number should not be stored in any business databases other than Aadhaar vault.

The use of FIPS 140-2 Certified HSMs for Cryptographic Key Protection

Also from Circular 11020/205/2017 in The Compendium:

(f) The Aadhaar number and any connected data maintained on the Aadhaar Data Vault shall always be kept encrypted and access to it strictly controlled only for authorized systems. Keys for encryption are to be stored in HSM devices only.

Compliance Summary

Thales eSecurity can help you meet the many of the requirements UIDAI’s Aadhaar Number Regulation through the following:

The Vormetric Platform’s Security Intelligence Logs let your organization identify unauthorized access attempts and to build baselines of authorized user access patterns. Vormetric Security Intelligence integrates with leading security information and event management (SIEM) systems that make this information actionable. The solution allows immediate automated escalation and response to unauthorized access attempts, and all the data needed to build behavioral patterns required for identification of suspicious use by authorized users, as well as training opportunities.

Compliance Brief : Complying with UIDAI’s Aadhaar Number Regulations

The Unique Identification Authority of India (UIDAI) was established under the provisions of India’s 2016 Aadhaar Act. UIDAI is responsible for issuing unique identification numbers (UIDs), called Aadhaar, and providing Aadhaar cards to all residents of India. Learn how Thales can help your organization comply with many of the regulations and mandates required for Aadhaar.

Vormetric Encryption delivers what we need it to do – without any fuss or drama – knowing it’s in place is one less thing to worry about.Albert AvilaBusiness Solutions Specialist, Fujitsu America, Inc.

Thales eSecurity is our standard. Whenever an encryption solution is needed, the answer is always, ‘let’s start with Thales eSecurity.Damian McDonaldVice President of Global Information Security, Becton, Dickinson and Company

There is absolutely no noticeable impact on the performance or usability of applications. I am very excited at how easy the solution is to deploy and it has always performed flawlessly.Christian MuusDirector of Security for Teleperformance EMEA

Implementing Vormetric has given our own clients an added level of confidence in the relationship they have with us; they know we’re serious about taking care of their data.Audley Deansenior director of Information Security,BMC Software

Vormetric’s approach of coupling access control with encryption is a very powerful combination. We use it to demonstrate to clients our commitment to preserving the security and integrity of their test cases, data and designs.David VargasInformation Security ArchitectCadence Design Systems

My concern with encryption was the overhead on user and application performance. With Thales eSecurity, people have no idea it’s even running.Karl MudraCIODelta Dental of Missouri

The Vormetric solution not only solved all of our encryption needs but alleviated any fears of the complexity and overhead of managing the environment once it was in place.Joseph Johnson,chief information security officer CHS